Solved: FTP Support on ACE Module

usmanshariff2008 · ‎09-10-2008

Hi All,

Can any one tell me if the FTP Active and Passive loadbalancing on the ACE Module ?? Is there any cisco document on this or the examples to configure it?

thanks in advance.

Syed Iftekhar Ahmed · ‎09-10-2008

If you want to enable both Active & Passive FTP then use the following config

serverfarm host FTPSERVERS

probe FTP-Probe

rserver FTP-Real1

inservice

rserver FTP-Real2

inservice

class-map match-all FTP-CLASS

match virtual-address 10.10.10.1 tcp eq ftp

class-map match-all FTP-PASV-CLASS

match virtual-address 10.10.10.1 tcp eq any

policy-map type loadbalance first-match ftp-policy

class class-default

serverfarm FTPSERVERS

policy-map multi-match FTP

class FTP-CLASS

loadbalance vip inservice

loadbalance policy ftp-policy

loadbalance vip icmp-reply active

inspect ftp

class FTP-PASV-CLASS

nat dynamic 100 vlan 10

service-policy input FTP

interface vlan 10

ip address 10.10.10.100 255.255.255.0

nat-pool 100 10.10.10.1 10.10.10.1 netmask 255.255.255.255

no shutdown

For passive FTP the changes are to ensure that data channel is also natted.

HTH

Syed Iftekhar Ahmed

View solution in original post

Syed Iftekhar Ahmed · ‎09-10-2008

I am afraid there is no such link.

Just read how passive ftp works and translate it to ACE config.

Syed Iftekhar Ahmed

View solution in original post

Syed Iftekhar Ahmed · ‎09-10-2008

Here is a sample config

serverfarm host FTPSERVERS

probe FTP-Probe

rserver FTP-Real1

inservice

rserver FTP-Real2

inservice

class-map match-all FTP-CLASS

match virtual-address 10.10.10.1 tcp eq ftp

policy-map type loadbalance first-match ftp-policy

class class-default

serverfarm FTPSERVERS

policy-map multi-match FTP

class FTP-CLASS

loadbalance vip inservice

loadbalance policy ftp-policy

loadbalance vip icmp-reply active

inspect ftp

Syed Iftekhar Ahmed

usmanshariff2008 · ‎09-10-2008

Hello Iftekhar,

Thanks for the update,

I know that I should use ftp inspect to prepare data connections, but I have not found any mentions is this supporting both types of ftp.

Can you plz though a light on this where to look for active and passive? Any cisco document for the same to have detailed explanation??

Syed Iftekhar Ahmed · ‎09-10-2008

If you want to enable both Active & Passive FTP then use the following config

serverfarm host FTPSERVERS

probe FTP-Probe

rserver FTP-Real1

inservice

rserver FTP-Real2

inservice

class-map match-all FTP-CLASS

match virtual-address 10.10.10.1 tcp eq ftp

class-map match-all FTP-PASV-CLASS

match virtual-address 10.10.10.1 tcp eq any

policy-map type loadbalance first-match ftp-policy

class class-default

serverfarm FTPSERVERS

policy-map multi-match FTP

class FTP-CLASS

loadbalance vip inservice

loadbalance policy ftp-policy

loadbalance vip icmp-reply active

inspect ftp

class FTP-PASV-CLASS

nat dynamic 100 vlan 10

service-policy input FTP

interface vlan 10

ip address 10.10.10.100 255.255.255.0

nat-pool 100 10.10.10.1 10.10.10.1 netmask 255.255.255.255

no shutdown

For passive FTP the changes are to ensure that data channel is also natted.

HTH

Syed Iftekhar Ahmed

usmanshariff2008 · ‎09-10-2008

Hello Syed,

Thanks for the clear explanation of this.This is what i was looking for

Just wondering frm where did you got this info as i serached the whole cisco site but did nt got this information there?

I apriciate if you could share the link.

Syed Iftekhar Ahmed · ‎09-10-2008

I am afraid there is no such link.

Just read how passive ftp works and translate it to ACE config.

Syed Iftekhar Ahmed

usmanshariff2008 · ‎09-10-2008

Hi Syed,

Thanks a ton for the answer.

usmanshariff2008 · ‎09-11-2008

Hi Syed,

There is: class-map match-all FTP-PASV-CLASS

match virtual-address 10.10.10.1 tcp eq any

Why there is any? In basic passive config there is like this:

class-map match-all FTP-CLASS

match virtual-address 10.10.10.1 tcp eq ftp

Could act + pass be like this:

class-map match-all FTP-PASV-CLASS

match virtual-address 10.10.10.1 tcp eq ftp

Thanks in advance.

Syed Iftekhar Ahmed · ‎09-11-2008

Usman please read my following response for tftp loadbalancing and it will give you an idea what I meant in the FTP config.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Data%20Center&topic=Application%20Networking&topicID=.ee7814f&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc1d06f

Syed Iftekhar Ahmed

rodgerxu · ‎10-02-2008

yes, can be eq ftp, however no need for the second part at all.

actually, there is no need to have separate config for active or passive. ACE can take care of the translation of embedded ip and can proxy the corresponding second channel well for both active and passive mode.

tested on ver A2(1.0)

dario.didio · ‎10-10-2008

So basically what you mean is that when you are matching on ftp (eq ftp), and you specify to inspect the ftp data-channel (inspect ftp) in your policy-map, it will support both active and passive initiated connections, without the need of the additional config that iftekhar has made?

We would get something like this and it supports both active and passive ftp?

serverfarm host FTPSERVERS

probe FTP-Probe

rserver FTP-Real1

inservice

rserver FTP-Real2

inservice

class-map match-all FTP-ACT-PASV-CLASS

match virtual-address 10.10.10.1 tcp eq ftp

policy-map type loadbalance first-match ftp-policy

class class-default

serverfarm FTPSERVERS

policy-map multi-match FTP

class FTP-ACT-PASV-CLASS

loadbalance vip inservice

loadbalance policy ftp-policy

loadbalance vip icmp-reply active

inspect ftp

interface vlan 10

ip address 10.10.10.100 255.255.255.0

service-policy input FTP

no shutdown

Thanks for the update.

acennami · ‎10-27-2008

What about FTP where the server is behind the loadbalancer and is NAT'd on the way out...

The config below works in 1.6, but in 2.0 train I get a message: Error: This class doesn't have tcp protocol and a specific port

Since upgrading I can't seem to create a L3 access list, and my inspect ftp statements appear to be broken on the outbound NATs. Inbound/VIPs are OK, because I created specific VIPs for FTP which accept the 'inspect ftp' command.

access-list src-nat-jedi1p-ftp line 230 extended deny ip host 10.162.74.161 10.1

22.0.0 255.255.0.0

class-map match-any SRC-NAT-jedi1p

2 match access-list src-nat-jedi1p

policy-map multi-match NAT-Policy

class SRC-NAT-jedi1p

nat dynamic 34 vlan 310

inspect ftp --> this command is rejected and I cannot create an ACL with layer 3 properties/permissions.

Syed Iftekhar Ahmed · ‎10-27-2008

In new code you cannot use "inspect ftp" under non-ftp VIP.

************** doesnt work ***************************

class-map match-any non-ftp-VIP

2 match virtual-address 1.1.1.1 any

policy-map multi-match xyz

class non-ftp-VIP

inspect ftp

Error: This class doesn't have tcp protocol and a specific port

***********Works*************************************

class-map match-any VIP-FTP

2 match virtual-address 1.1.1.1 tcp eq ftp

policy-map multi-match xyz

class non-ftp-VIP

inspect ftp

<--- No complains....

Syed Iftekhar Ahmed

acennami · ‎10-28-2008

That much I understand, but I am trying to apply this on an outbound NAT policy, not a virtual-server VIP policy.

I've been able to fix the FTP inspection on the VIPs in the manner described, but this does not help me for the outbound NAT connections which pass through the "NAT-Policy"

danilodicesare · ‎12-03-2008

Hi all,

with versio 2.1.0 may you know uf there's some FTP bug?

i'll explain....sometimes (3 of 10 times) ftp from windows client (filezilla and WinScp) does not work :(.

topology is: msfc-->ace-->fwsm1+fwsm2-->ace--real

i've got mac-sticky enable and fw load balancing configure well (Cisco guideline) when i see ftp not working i noticed this stuff:

ACE# show conn address netmask 255.255.255.255

conn-id np dir proto vlan source destination state

----------+--+---+-----+----+---------------------+---------------------+------+

93675 1 in TCP 5 :1082 :21 ESTAB

8493 1 out TCP 3 :21 :1082 ESTAB

23308 1 in TCP 5 :0 :34157 SYNACK

-- - - -- -- -- -- --

44250 2 in TCP 5 :0 :34157 SYNACK

-- - - -- -- -- -- --

how can i see mac-sticky feature in some show command and above all why i can see port0 (reserved) used and as second conn '--'?

thk

Das